This week we’re tackling a few more of the questions we routinely get from attorneys, business owners, and management, whether at the outset or deep into the process of a digital forensic investigation.
How long after a suspected incident can you still retrieve usable data?
The short answer: potentially forever, as long as the drive hasn’t been truly wiped or physically destroyed.
But realistically, the sooner the better. The more time that passes, the higher the risk that crucial evidence gets overwritten or changed. For example, when a file is deleted, it isn’t actually removed from the hard drive until another file overwrites that same space. That means:
- If a file was deleted a year ago, and the computer’s been used by someone else since, it’s still quite possible that traces of that file, or records of its deletion, exist.
- However, the actual content might have been partially or fully overwritten, making it less useful.
This is why we always recommend setting aside any suspect computer or device immediately, to preserve the best possible evidence.
Some of our clients even hold onto machines for a set period (say, two months) after an employee in a sensitive role departs, just in case evidence surfaces later that they walked off with valuable data. Others, often clients we’ve worked with for years, routinely send us laptops from key employees right after departure. We make quick forensic images, run checks for USB activity, personal email use, and online file storage (Google Drive, Dropbox, etc.). This proactive approach can be a game changer.
And if you’d prefer to handle it internally, we can train your IT staff on proper imaging techniques.
Can you retrieve deleted text messages?
Sometimes. Here’s how we usually approach it:
- The phone itself:
We can take a forensic image of the smartphone and attempt to recover deleted texts directly. However, this is highly time-sensitive, the longer it’s been since deletion, the more likely those areas on the device have been overwritten. - The user’s computer:
If the phone was ever connected to a computer, even just to charge or sync media, there’s a chance a backup exists. We can forensically image the computer, extract any backups, and analyze them.Often there are multiple backups, which can give us a chronology of messages over time, even spanning across older phones. We’ve found years worth of iPhone backups on a single machine this way. - The cloud:
Many iPhones (by default) sync texts via iCloud. If we have the credentials, we can often pull down these messages and analyze them.
Taken together, these methods give us several avenues to find deleted texts, long after they might seem to have vanished.
What’s the difference between a digital forensic examiner and an investigator?
Great question, and an important one.
There are many competent forensic examiners who can retrieve data from a wide range of devices. But simply pulling data isn’t always enough.
At Swailes, we pride ourselves on being digital forensic investigators. The distinction is more than just semantics:
- An examiner can locate and recover data, perhaps reconstruct timelines or see which files were accessed.
- An investigator goes beyond that, taking into account the broader context:
- The business or legal stakes (IP theft, misuse, compliance, licensing issues, litigation, etc.)
- The mindset and likely motives of the people involved, based on years of experience.
- How to tailor findings (via reports, affidavits, or testimony) for maximum value to the client’s specific situation.
Not all evidence carries the same weight in every scenario. We understand that, and our approach is always focused on maximizing the impact of the data for the client’s objectives. That’s what we call “the investigative difference.”
Are there warning signs of an employee preparing to steal data?
While sometimes there’s no clear sign, there are common red flags we’ve observed repeatedly:
- Behavior changes.
Discontent often follows triggers like missing a raise, being passed over for promotion, or disputes over commissions. These can sow the seeds for wrongdoing. - Becoming “too helpful.”
Eagerly taking on more projects or acting as a hub for information can be normal teamwork, or it might be groundwork for quietly gathering sensitive data. - Tech patterns that don’t add up.
Sudden reliance on USB drives or external hard drives to “help the team,” or personal emails / online storage used to “work from home” outside their usual behavior.
This is especially suspect if paired with secrecy, quick drag-and-drops, or brushing off questions.
Also watch for groups of employees exiting together. We’ve seen that often correlate with coordinated data theft.
All of this might seem obvious, but emotions often cloud judgment, creating “blind spots” that make it harder to spot these signs in the moment.
What are some risk mitigation strategies to protect our data?
Several immediate steps come to mind:
Solid employment agreements.
Work with your attorney to draft contracts that clearly establish:
- The work product employees create belongs to the company.
- They’re prohibited from bringing in proprietary data from prior employers.
- They’re obligated to protect your data and keep it confidential.
Build a culture of security.
If protecting data is seen as a collective priority, deviations stand out more. It also helps guard against social engineering, phishing, and other cyber risks.
Stay proactive.
Use “red flag” training with managers to help spot concerning patterns before they become major problems.
Consider Data Loss Prevention (DLP) tools.
These systems can log and sometimes actively block risky data transfers (to USB, personal email, cloud storage, etc.). They vary in complexity and cost, but are increasingly common in organizations that want to keep tighter control.
If you have other questions, or a scenario you’re dealing with right now, let us know. Whether it’s intellectual property theft, recovering deleted files, or setting up proactive defenses, we’re here to help.